{"api_version":"1","generated_at":"2026-04-23T04:10:01+00:00","cve":"CVE-2020-14343","urls":{"html":"https://cve.report/CVE-2020-14343","api":"https://cve.report/api/cve/CVE-2020-14343.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-14343","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-14343"},"summary":{"title":"CVE-2020-14343","description":"A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-02-09 21:15:00","updated_at":"2023-07-06 18:15:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/SeldonIO/seldon-core/issues/2252","name":"https://github.com/SeldonIO/seldon-core/issues/2252","refsource":"CONFIRM","tags":[],"title":"Resolve CVE for PyYAML - CVE-2020-14343 · Issue #2252 · SeldonIO/seldon-core · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/yaml/pyyaml/issues/420","name":"https://github.com/yaml/pyyaml/issues/420","refsource":"MISC","tags":[],"title":".load() and FullLoader still vulnerable to fairly trivial RCE · Issue #420 · yaml/pyyaml · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1860466","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1860466","refsource":"MISC","tags":["Issue Tracking","Third Party Advisory"],"title":"1860466 – (CVE-2020-14343) CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-14343","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14343","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"14343","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_cloud_native_core_network_function_cloud_native_environment","cpe6":"1.10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14343","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_cloud_native_core_network_function_cloud_native_environment","cpe6":"22.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14343","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pyyaml","cpe5":"pyyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14343","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pyyaml","cpe5":"pyyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-14343","qid":"159289","title":"Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2021-2583)"},{"cve":"CVE-2020-14343","qid":"198358","title":"Ubuntu Security Notification for PyYAML vulnerability (USN-4940-1)"},{"cve":"CVE-2020-14343","qid":"239464","title":"Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2021:2583)"},{"cve":"CVE-2020-14343","qid":"239895","title":"Red Hat Update for Satellite 6.10 (RHSA-2021:4702)"},{"cve":"CVE-2020-14343","qid":"296067","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)"},{"cve":"CVE-2020-14343","qid":"378427","title":"Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2023)"},{"cve":"CVE-2020-14343","qid":"500784","title":"Alpine Linux Security Update for py3-yaml"},{"cve":"CVE-2020-14343","qid":"501479","title":"Alpine Linux Security Update for py3-yaml"},{"cve":"CVE-2020-14343","qid":"501772","title":"Alpine Linux Security Update for py3-yaml"},{"cve":"CVE-2020-14343","qid":"504337","title":"Alpine Linux Security Update for py3-yaml"},{"cve":"CVE-2020-14343","qid":"670312","title":"EulerOS Security Update for PyYAML (EulerOS-SA-2021-1912)"},{"cve":"CVE-2020-14343","qid":"670367","title":"EulerOS Security Update for PyYAML (EulerOS-SA-2021-1958)"},{"cve":"CVE-2020-14343","qid":"670388","title":"EulerOS Security Update for PyYAML (EulerOS-SA-2021-1937)"},{"cve":"CVE-2020-14343","qid":"690117","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for pyyaml (c7ec6375-c3cf-11eb-904f-14dae9d5a9d2)"},{"cve":"CVE-2020-14343","qid":"710880","title":"Gentoo Linux PyYAML Arbitrary Code Execution Vulnerability (GLSA 202402-33)"},{"cve":"CVE-2020-14343","qid":"751033","title":"SUSE Enterprise Linux Security Update for python-PyYAML (SUSE-SU-2021:2818-1)"},{"cve":"CVE-2020-14343","qid":"752486","title":"SUSE Enterprise Linux Security Update for python-PyYAML (SUSE-SU-2022:2841-1)"},{"cve":"CVE-2020-14343","qid":"904855","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mozjs60 (12376)"},{"cve":"CVE-2020-14343","qid":"904900","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (12296)"},{"cve":"CVE-2020-14343","qid":"905102","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (12456)"},{"cve":"CVE-2020-14343","qid":"907556","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for PyYAML (31782-1)"},{"cve":"CVE-2020-14343","qid":"940207","title":"AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2021:2583)"},{"cve":"CVE-2020-14343","qid":"960084","title":"Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2021:2583)"},{"cve":"CVE-2020-14343","qid":"980646","title":"Python (pip) Security Update for PyYAML (GHSA-8q59-q68h-6hv4)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-14343","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"PyYAML","version":{"version_data":[{"version_value":"PyYAML 5.4"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://github.com/yaml/pyyaml/issues/420","url":"https://github.com/yaml/pyyaml/issues/420"},{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1860466","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1860466"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"refsource":"CONFIRM","name":"https://github.com/SeldonIO/seldon-core/issues/2252","url":"https://github.com/SeldonIO/seldon-core/issues/2252"}]},"description":{"description_data":[{"lang":"eng","value":"A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."}]}},"nvd":{"publishedDate":"2021-02-09 21:15:00","lastModifiedDate":"2023-07-06 18:15:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":10},"severity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pyyaml:pyyaml:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"5.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"14343","Ordinal":"175573","Title":"CVE-2020-14343","CVE":"CVE-2020-14343","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"14343","Ordinal":"1","NoteData":"A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"14343","Ordinal":"2","NoteData":"2021-02-09","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"14343","Ordinal":"3","NoteData":"2021-02-09","Type":"Other","Title":"Modified"}]}}}